From owner-freebsd-bugbusters@FreeBSD.ORG  Tue Jun 21 19:52:04 2005
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
X-Original-To: bugbusters@FreeBSD.org
Delivered-To: freebsd-bugbusters@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C58FE16A41C;
	Tue, 21 Jun 2005 19:52:04 +0000 (GMT)
	(envelope-from cracauer@schlepper.zs64.net)
Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E98E43D1F;
	Tue, 21 Jun 2005 19:52:04 +0000 (GMT)
	(envelope-from cracauer@schlepper.zs64.net)
Received: from schlepper.zs64.net (schlepper [212.12.50.230])
	by schlepper.zs64.net (8.13.1/8.12.9) with ESMTP id j5LJq2d3099441;
	Tue, 21 Jun 2005 21:52:02 +0200 (CEST)
	(envelope-from cracauer@schlepper.zs64.net)
Received: (from cracauer@localhost)
	by schlepper.zs64.net (8.13.1/8.12.9/Submit) id j5LJq2uY099440;
	Tue, 21 Jun 2005 15:52:02 -0400 (EDT) (envelope-from cracauer)
Date: Tue, 21 Jun 2005 15:52:02 -0400
From: Martin Cracauer <cracauer@cons.org>
To: bugbusters@FreeBSD.org
Message-ID: <20050621155202.A99219@cons.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Cc: freebsd-hackers@FreeBSD.org
Subject: Serious braindamage in the send-pr web interface
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2005 19:52:04 -0000

The security code of the web interface seems to really screw people
over (the image displaying a text that you have to enter).

It goes like this:
- open web page
- enter PR
- enter security code but get anything wrong (case is sufficient)

You get an error complaing about the security code.

Press back.  Your carefully edited PR is still there.  Good.

However, it displays the same image and the same security code as
before, although send-pr seems to have generated a new one internally.
The new code is not displayed, however, since there is no expire
header on the old one and you just hit the "back" button.

So it displays the old code to the user while it already expects a new
one.

So it rejects everything that comes out of the sequence "back button"
and resubmitting, so matter how often you do it.  It never displays
its currently expected code in an image in the user's browser, it
reuses the first image every time.

If you figure that this is the problem you press reload - and your PR
is gone :-/

I think this might be fixable as easy as setting an expire header on
the image.

Also, it shouldn't be all-uppercase and case sensitive, that is
pointless. 

Martin
-- 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Martin Cracauer <cracauer@cons.org>   http://www.cons.org/cracauer/
 No warranty.    This email is probably produced by one of my cats 
 stepping on the keys. No, I don't have an infinite number of cats.

From owner-freebsd-bugbusters@FreeBSD.ORG  Tue Jun 21 22:13:54 2005
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
X-Original-To: bugbusters@FreeBSD.org
Delivered-To: freebsd-bugbusters@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7841E16A41C;
	Tue, 21 Jun 2005 22:13:54 +0000 (GMT)
	(envelope-from setantae@submonkey.net)
Received: from shrike.submonkey.net (cpc4-cdif3-6-1-cust116.cdif.cable.ntl.com
	[82.23.41.116])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 26E1C43D1F;
	Tue, 21 Jun 2005 22:13:54 +0000 (GMT)
	(envelope-from setantae@submonkey.net)
Received: from setantae by shrike.submonkey.net with local (Exim 4.51
	(FreeBSD)) id 1Dkr0D-000Dr8-0I; Tue, 21 Jun 2005 23:13:53 +0100
Date: Tue, 21 Jun 2005 23:13:52 +0100
From: Ceri Davies <ceri@submonkey.net>
To: Martin Cracauer <cracauer@cons.org>
Message-ID: <20050621221352.GE14221@submonkey.net>
Mail-Followup-To: Ceri Davies <ceri@submonkey.net>,
	Martin Cracauer <cracauer@cons.org>, bugbusters@FreeBSD.org,
	freebsd-hackers@FreeBSD.org
References: <20050621155202.A99219@cons.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="XEBwi9kjQ2E8i8dT"
Content-Disposition: inline
In-Reply-To: <20050621155202.A99219@cons.org>
X-PGP: finger ceri@FreeBSD.org
User-Agent: Mutt/1.5.9i
Sender: Ceri Davies <setantae@submonkey.net>
Cc: freebsd-hackers@FreeBSD.org, bugbusters@FreeBSD.org
Subject: Re: Serious braindamage in the send-pr web interface
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2005 22:13:54 -0000


--XEBwi9kjQ2E8i8dT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 21, 2005 at 03:52:02PM -0400, Martin Cracauer wrote:
> The security code of the web interface seems to really screw people
> over (the image displaying a text that you have to enter).
>=20
> It goes like this:
> - open web page
> - enter PR
> - enter security code but get anything wrong (case is sufficient)
>=20
> You get an error complaing about the security code.
>=20
> Press back.  Your carefully edited PR is still there.  Good.
>=20
> However, it displays the same image and the same security code as
> before, although send-pr seems to have generated a new one internally.
> The new code is not displayed, however, since there is no expire
> header on the old one and you just hit the "back" button.
>=20
> So it displays the old code to the user while it already expects a new
> one.
>=20
> So it rejects everything that comes out of the sequence "back button"
> and resubmitting, so matter how often you do it.  It never displays
> its currently expected code in an image in the user's browser, it
> reuses the first image every time.
>=20
> If you figure that this is the problem you press reload - and your PR
> is gone :-/
>=20
> I think this might be fixable as easy as setting an expire header on
> the image.

It has Pragma: no-cache and a dummy '?' in the URL.  What does an
"expire header" that expires immediatelylook like?

> Also, it shouldn't be all-uppercase and case sensitive, that is
> pointless.=20

Point taken; I actually remember committing lowercase letters.
Interesting that it never really happened...

Ceri

PS  www issues go to www@, not hackers@.
--=20
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)

--XEBwi9kjQ2E8i8dT
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCuJEgocfcwTS3JF8RAtKdAJ98TXO6VzfGpevtuu7gmrbHDCdxEQCfczTc
eBqc10O+zpm5XLl/Js3RxpM=
=jCGD
-----END PGP SIGNATURE-----

--XEBwi9kjQ2E8i8dT--

From owner-freebsd-bugbusters@FreeBSD.ORG  Wed Jun 22 02:49:52 2005
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
X-Original-To: bugbusters@FreeBSD.org
Delivered-To: freebsd-bugbusters@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0692016A41C
	for <bugbusters@FreeBSD.org>; Wed, 22 Jun 2005 02:49:52 +0000 (GMT)
	(envelope-from cracauer@schlepper.zs64.net)
Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 90AB743D4C
	for <bugbusters@FreeBSD.org>; Wed, 22 Jun 2005 02:49:51 +0000 (GMT)
	(envelope-from cracauer@schlepper.zs64.net)
Received: from schlepper.zs64.net (schlepper [212.12.50.230])
	by schlepper.zs64.net (8.13.1/8.12.9) with ESMTP id j5M2nnIG007096;
	Wed, 22 Jun 2005 04:49:49 +0200 (CEST)
	(envelope-from cracauer@schlepper.zs64.net)
Received: (from cracauer@localhost)
	by schlepper.zs64.net (8.13.1/8.12.9/Submit) id j5M2nnbi007095;
	Tue, 21 Jun 2005 22:49:49 -0400 (EDT) (envelope-from cracauer)
Date: Tue, 21 Jun 2005 22:49:49 -0400
From: Martin Cracauer <cracauer@cons.org>
To: Ceri Davies <ceri@submonkey.net>, Martin Cracauer <cracauer@cons.org>,
	bugbusters@FreeBSD.org
Message-ID: <20050621224948.A7038@cons.org>
References: <20050621155202.A99219@cons.org>
	<20050621221352.GE14221@submonkey.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20050621221352.GE14221@submonkey.net>;
	from ceri@submonkey.net on Tue, Jun 21, 2005 at 11:13:52PM +0100
Cc: 
Subject: Re: Serious braindamage in the send-pr web interface
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
	<freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
	<mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2005 02:49:52 -0000

> > I think this might be fixable as easy as setting an expire header on
> > the image.
> 
> It has Pragma: no-cache and a dummy '?' in the URL.  What does an
> "expire header" that expires immediatelylook like?

You just sent an exire header with the current time or a time in the
past.

I am sure that whatever mechanism is in use right now didn't work on
Firefox 1.04, it keeps the old image when you go back.

Martin
-- 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Martin Cracauer <cracauer@cons.org>   http://www.cons.org/cracauer/
 No warranty.    This email is probably produced by one of my cats 
 stepping on the keys. No, I don't have an infinite number of cats.